EXTERNAL USERS ACCEPTABLE USE POLICY

Policy Number: External Users Acceptable Use Policy
Reviewed by:	Title:
Vineel Katipally	Chief Technology Officer
Approved by:
Stephen Kaplan	Chief Privacy Officer
Tom Wicker	COO

I. Overview

Information systems are an important resource for HealthPlanOne, LLC (“HPO” or “Company”) Users (“Users” are any individuals or entities who use or access any HPO Information Resources, and all actions of User shall bind any entity that employs or hires User to conduct business with HPO). All Users must agree to and understand the appropriate procedures to protect HPO’s Information Resources and the importance of the data contained therein.

II. Definitions

Information Resource(s) – facilities, hardware, software, and any item in any way related to HPO’s Information System.

Information System – information collected, transmitted, stored, and/or archived using telephones, cell phones, pagers, voice mail, electronic mail accounts (E-mail), Internet, the World Wide Web (WWW), LAN/WAN access software, HPO intranet, computers, servers, networks, peripherals, fax machines, modems, firewalls, routers, switches, hubs, and related equipment.

III. Purpose

The purpose of this policy is to ensure that Users:

• Are aware of information security threats and concerns and liabilities;
• Understand their role in protecting the privacy of health information; and
• Understand their responsibilities as Users in order to reduce the risk of theft, fraud or misuse of information and Information Resources.
• Understand their liability and the liability of their organizations when using HPO Information Resources.

This policy provides useful tips and techniques to promote effective use of HPO’s Information Resources.

IV. Scope

This policy applies to all Users.

V. Policy

A. Information Access, Content, and Use

HPO utilizes sophisticated computer and communications systems as part of its daily functions. These technologies support our business activities by enabling closer, more effective and timely communications among personnel within HPO and with our consumers, customers, partners and vendors worldwide. These guidelines in this policy advise all Users regarding the access to and the disclosure of Information Resources. These guidelines establish HPO's expectations for all Users concerning the disclosure of information via HPO’s Information Resources and their liability therefor.

HPO maintains and uses many facilities, equipment, and communication systems, such as telephones, regular mail, special delivery services, electronic mail (“Email”), voice mail, fax machines, computers, etc., designed to make HPO’s operations effective and efficient.

As with all HPO assets, HPO’s Information Resources are for official HPO business only. Use of HPO’s Information Resources is subject to these policies and guidelines and other relevant HPO policies and procedures.

This document addresses general Information Resources policies and guidelines, specific issues related to appropriate content, and User use of HPO’s Information Resources. All Users MUST follow these general policies and guidelines.

Users shall not disseminate information from any Information Resources unless they receive explicit written permission from the CTO or their designee to do so. The use of HPO Information Resources is limited to Acceptable Use as defined in these policies and guidelines.

B. Ownership and License

All of the HPO Information Resources, hardware, software, and assets are the sole and exclusive property of HPO and, as relevant, its vendors and licensors. Any User accessing Information Resources agrees to the following license: Subject to and conditioned on User's payment of fees under applicable agreement with HPO (if User is a HPO client) and compliance with all other terms and conditions of this Policy, HPO hereby grants to User a non-exclusive, non-sublicensable, and non-transferable license to use the Information Resources solely for the uses expressly stated until such License is revoked hereunder or terminated in accordance with any agreement between User and HPO (if User is a client).

C. Personal devices/Personal Accounts

Users shall not bring their Personal equipment (laptops, desktops, iPads, other similar devices), including all computer hardware and software, into HPO company premises, or be used for HPO’s official business without the prior express written consent (email acceptable) of HPO’s Chief Privacy Officer or Data Security Staff.

D. Protecting Confidential Information

Maintaining the confidentiality of sensitive information is crucial to HPO's success.

Confidential information stored on or carried over HPO’s Information Resources could become the subject of accidental or intentional interception, mis-delivery, hacking or even unauthorized internal review unless Users take the necessary precautions outlined in these guidelines.

HPO has developed specific procedures to ensure the protection of confidential information. Users must exercise care when communicating any potentially confidential information outside of HPO, as no electronic communications facility is completely secure.

Some directories or data stored in HPO’s Information Resources contain sensitive or confidential data. Access to these directories shall be restricted.

The information belonging to consumers, customers, and clients of HPO is of paramount importance. Users must at ALL times protect this crucial information.

Prohibited Acts:

Prohibited acts with respect to consumer information includes but are not limited to the following:

1. Unauthorized attempts to circumvent such access restrictions;
2. Entering into discussions with third parties regarding HPO's business prospects or financial condition.
3. Discussing HPO future products, services, features or functionality to a third party unless HPO has previously disclosed such information in a press release or through some other public disclosure. Such information is proprietary to HPO and constitutes valuable information that should be protected as a trade secret. The release of such information could become the subject of criminal prosecution.
4. Sharing assets of HPO (including any and all data) with any non-HPO individuals or parties unless:
   1. A need-to-know situation exists;
   2. Such disclosure has been pre-approved in writing by a C-level Staff member;
   3. The planned disclosure has been approved by the HPO Privacy Officer and Data Security team;
   4. The disclosure is permitted within HPO policies and processes;
   5. An HPO-approved Non-Disclosure Agreement has been fully signed (template available from legal department) and all other Legal-department required documentation has been signed;
   6. If consumer health data which may be considered PHI is to be disclosed, an HPO-approved Business Associate Agreement has been fully signed;
   7. As applicable, vendor/third party documentation and contracts not named above have been fully signed; and
   8. Third party/vendor due diligence has been fully performed in accordance with HPO procurement due diligence processes then in place.
5. Placing HPO material (e.g., copyrighted software, internal correspondence) on any publicly accessible Internet computer without prior express written permission from HPO’s Chief Technology Officer.

Users must protect voice mail, and E-mail accounts from unauthorized access. Appropriate protection procedures include ensuring proper password protection to these accounts, closing E-mail messages after reading them and deleting all messages when they are no longer needed.

The Internet does not guarantee the privacy and confidentiality of information. Sensitive material transferred over the Internet/E-Mail may be at risk of detection by a third-party.  Users must exercise caution and care when transferring such material in any form and must do so only using secure E-mail.

Questions regarding confidential or proprietary information should be directed to HPO C-level management or their designee.

E. Liability and Indemnification

User shall indemnify, defend, and hold harmless HPO and its affiliates, and each of its and their respective officers, directors, employees, agents, subcontractors, successors and assigns (each, a "HPO Indemnitee") from and against any and all losses incurred by User resulting from:

1. a third party claim that any intellectual property rights or other right of any person, or any law, is or will be infringed, misappropriated, or otherwise violated by any:
   1. use or combination of the Information Resources by or on behalf of User or any of its representatives with any hardware, software, system, network, service, or other matter whatsoever that is neither provided by HPO nor authorized by HPO in this Policy; and
   2. information, materials, or technology directly or indirectly provided by User or directed by User to be installed, combined, integrated, or used with, as part of, or in connection with the Information Resources;
2. relating to facts that, if true, would constitute a breach by User of this Policy;
3. relating to negligence, abuse, misapplication, misuse or more culpable act or omission (including recklessness or willful misconduct) by or on behalf of User with respect to the Information Resources or otherwise in connection with this Policy; or
4. relating to use of the Information Resources by or on behalf of User that is outside the purpose, scope or manner of use authorized by this Policy, or in any manner contrary to Licensor's instructions.

F. Third Party Software and agreements

HPO’s license to use software is carefully set forth in legal agreements that HPO has with the developers and distributors of the software.  User use of software must be in compliance with those agreements. If HPO gives User the opportunity to use certain software, copying of that software is strictly prohibited.   After any User access termination of any kind, all HPO owned software, licenses, and media will remain with HPO. Users may not modify, reverse engineer, disassemble or decompile any software unless given explicit written permission to do so by the HPO CTO.

Unless otherwise noted, all software on the Internet should be considered copyrighted work. Therefore, Users are prohibited from downloading software, using materials found on the internet, and/or modifying any such files without written permission from the copyright holder in any use of the Information Resources.

G. User Privacy Statement

All data in any Information Resources, including any that is stored or printed as a document, is subject to HPO audit and review.

No User has a reasonable expectation of personal privacy with respect to the use of any of HPO’s property, equipment or systems during their relationship with HPO and after such relationship ends. User hereby waives any such right to privacy with respect to HPO Information Resources.

The above includes anything created or received on HPO’s Information Resources even if used for business purposes and in the normal course of HPO operations.

HPO reserves the right, but not the obligation, to monitor use of HPO’s Information Resources including the Internet, E-mail, computer transmissions, and electronically stored information created or received by Users with HPO's Information Resources. All computer applications, programs, work-related information created or stored by Users on HPO's Information Resources are HPO property. 

H. Monitoring and Inspecting Information Resources

HPO’s Information Resources are owned and controlled by HPO and are accessible at all times by HPO for maintenance, upgrades and other business or legal purposes.

All Information Resources, including the messages and data stored on the systems, are always and remain the property of HPO, subject to applicable third-party intellectual property rights such as copyrights. By virtue of continued employment and use of HPO systems, all Users are considered to have consented to monitoring and other access by authorized HPO personnel. HPO reserves the right to inspect a User’s account in any Information Resources for violations of HPO policies.

HPO reserves the right to access and conduct an inspection or search all directories, indices, files, databases, faxes, HPO computer hardware and software, voice mail, E-mail and communication systems or deliveries sent to any HPO location, and other Information Resources no matter to whom it is addressed, with no prior notice.  HPO may also cancel or restrict any User’s privilege to use any or all its Information Resources, equipment, property, or communication systems based on a known or suspected issue pertaining thereto or possible misuse thereof.

HPO management may examine User communications or files and such examination should be expected to occur in various circumstances when necessary, including, but not limited to:

• Ensuring that HPO systems are not being used to transmit discriminatory, harassing, or offensive messages of any kind.
• Determining the presence of illegal material or unlicensed software.
• Ensuring that communication tools are not being used for unauthorized, disruptive, or improper uses.
• Investigating allegations or indications of impropriety.
• Locating, accessing, and/or retrieving information.
• Responding to legal proceedings and court orders in the preservation or production of evidence.

HPO reserves the right to review Users use of and to inspect all material created by or stored on HPO Information Resources. HPO reserves the right to monitor all use of Information Resources to access, review, copy, delete, or disclose messages and data derived from any use. All messages or data become property of HPO, subject to access, review, duplication, deletion, or disclosure by HPO management or by other personnel authorized by HPO.

Users should be aware that billing practices, firewall protections, and traffic flow monitoring programs often maintain detailed audit logs setting forth addresses, times, durations, etc. of communications both within and external to HPO.

Users should treat HPO’s Information Resources with the expectation that communications will be available for review by authorized personnel of HPO for legitimate business purposes at any time.

HPO reserves the right to access, review, duplicate, delete or disclose for legitimate business purposes any communications, messages or data derived from use of HPO's Information Resources.

The above includes the monitoring of password protected, encrypted, and deleted files, which will include but not be limited to any identified as private or personal by Users.

I. Storing and Archiving Information

HPO has developed specific archival procedures to ensure the safe retention of electronic data. Most files are subject to routine back-up procedures. Copies of documents and electronic messages may be retained for long periods of time. By virtue of various archival practices employed at HPO, any messages or data stored, even temporarily, on HPO Information Resources may be copied the specific knowledge of the individual creating the messages or data. Such archives are and remain HPO property and may be used by HPO for any business purpose. Simply deleting messages or data from these Information Resources does not provide privacy with regard to such messages or data. The length of time that such archives may be maintained can be almost indefinite. Users may be required to preserve their electronic data based on pending litigation and/or investigations by HPO.

J. Usage and Awareness

The use of Information Resources is restricted to official HPO business. Any Information Resources use that could cause congestion, disruption of normal service, or general additional HPO expense is prohibited.

Hacking or unauthorized attempts or entry into any other computer is forbidden. Such an action is a violation of the Federal Electronic Communications Privacy Act (ECPA) 18 U.S.C. 2510.

Sending threatening, slanderous, racially and/or sexually harassing messages is strictly prohibited. The representation of yourself as someone else, real or fictional, or a message sent anonymously is prohibited. 

Users must not copy or transfer electronic files without prior HPO permission. Software and Information Resources are subject to federal copyright laws. Care should be exercised whenever accessing or copying any information. When in doubt, consult HPO Data Security management. Unauthorized or illegal use of third-party intellectual property is prohibited. Such use includes, but is not limited to, downloading, or using copyrighted or patented software, video and audio clips or documents on HPO’s Information Resources in a manner inconsistent with relevant license terms or other intellectual property rights.

Users shall not send post or provide access to any confidential HPO materials or data from Information Resources or information to anyone outside of HPO that has not been previously authorized by HPO Data Security.

Users are obligated to cooperate with any investigation regarding the use Information Resources.

Alternate internet service provider connections to HPO’s internal network are not permitted unless prior express consent has been given by HPO management and properly protected by a firewall or other appropriate security device(s).

K. Security and Information Resources Awareness

The protection of HPO data and the secure use of Information Resources is the responsibility of all Users. The practices listed below are not inclusive, but rather designed to remind each Users of the need to raise their Security and Information Resources awareness.

• Protect passwords. Never write it down or give it to anyone. See more about passwords below.
• Protect files. Do not allow unauthorized access to files or data. Never leave equipment unattended with the password activated — log off.
• Backing up data. Keep duplicates of critical data in a safe place.
• Report security violations. Immediately report any loss of data or programs, whether automated or hard copy.
• Always store the minimum necessary information.

L. E-Mail Usage

To the extent a User has access to HPO E-mail, E-mail will be sent for official HPO business only. No personal E-mail shall be sent or received via HPO Internet accounts.

Management reserves the right, but not the obligation, to access all E-mail files created, received, or stored on HPO Information Systems and such files can be accessed without prior notification.

Mail on the internet is not secure. If an E-mail needs to be sent that contains private or confidential information, Users must use “securex” in the subject line to ensure proper encryption. Otherwise, E-mail is sent unencrypted and is easily read.

Refer to the E-mail Policy for additional information on acceptable E-mail usage and etiquette.

E-mail must not contain any customer, client, consumer or company data of any kind unless such transmissions are sent (a) only to the proper recipients and (b) only to the minimum persons necessary for the transmission; and (c) are sent only via secure E-mail. If you have questions on secure E-mail, please E-mail privacy@hpone.com. Users are prevented from sending software or .exe files through E-mail. You may not send information from HPO E-mail to your personal E-mail(s).

Do not open any E-mail attachments from unsolicited sources. Delete such E-mail immediately and permanently delete them by emptying from your ‘deleted items’ in Outlook.

Do not open spam, chain E-mail, and similar items.

M. Securing Information Resources With Passwords

Prior express consent for Information Resources access must be obtained through HPO IT management. Once HPO provides prior express consent, User shall be responsible for the security of their account password and will be held responsible for all use or misuse of his or her account. No other password or security device shall be used without approval by HPO management.

Each HPO Information Resource may allow Users to set or change their password. If so, set the password and change it regularly. Guidelines for choosing and setting passwords should be obtained from the Password Management Policy and Password Management Procedure. Periodic password changes keep undetected intruders from continuously using the password of a legitimate user.

Users must never disclose their unique account password to anyone.

Users must maintain secure passwords and never use an account assigned to another user.

HPO reserves the right to override the User's password and other security features when it has a need to do so. Should a time come when User loses access to Information Resources, or at any other appropriate time, HPO may replace that password with another of HPO’s choosing.

N. Protecting Information Resources From Viruses

HPO provides virus protection software to help safeguard Information Resources. These systems are not totally foolproof. As such, be particularly cautious when opening any E-mail with an attachment.

O. Encrypting Data

Only HPO authorized encryption tools (both software and hardware) may be used in connection with Information Resources. Except with the prior written consent of HPO senior management, all encryption tools must permit HPO to access and recover all encrypted information.

P. Acceptable Use

Authorized Use. The authorized use of HPO Information Resources is limited to HPO’s official business. HPO provides Information Resources and communication tools to facilitate business communication and enhance personal productivity. HPO reserves the right to prohibit or restrict use of HPO Information Resources for any reason and at any time.

Q. Unacceptable Use

In addition to the prohibitions contained elsewhere, the following are prohibited uses of HPO INFORMATION RESOURCES:

• Unauthorized Use.    Excessive personal and other use of Information Resources inconsistent with this or any other HPO policy is unauthorized. Under no circumstances are HPO’s Information Resources to be used for personal financial gain or to solicit others for activities unrelated to official HPO business, such as solicitations for personal, political, or religious causes. Installation of software without approval from HPO management is unauthorized.
• Disruptive Use.    Use that may reasonably be considered offensive or disruptive to any individual or organization, or to harmony within the workplace is prohibited.Such disruptive use includes, but is not limited to, transmission, retrieval, storage, or display of defamatory, obscene, offensive, politically motivated, slanderous, harassing, or illegal data, or messages that disclose personal information without authorization.
• Prohibited use.    Unauthorized or illegal use of third-party intellectual property is prohibited.  Such use includes, but is not limited to, downloading or using copyrighted or patented software, video and audio clips or documents on Information Resources in a manner inconsistent with relevant license terms or other intellectual property rights. When in doubt about the existence or scope of a license or about appropriate use of copyrighted, patented, or otherwise proprietary third-party data or software code, Users should contact HPO management. Users are expressly prohibited from using HPO’s Information Resources to store or access pornography.

R. Data Center

Data Center use and management will be governed by HPO internal IT policies and processes.

S. Reporting

Any suspected breach or incident regarding HPO data, consumer data, client data, technology, software, or services should be reported immediately to 1-833-835-0826.

T. Violations

Access to HPO Information Resources may be revoked at any time for violation or suspected violation of this policy.

V. Distribution

This policy is to be distributed to all Users who use Information Resources.

Policy History

Version	Date	Description	Approved by
1.0	6/15/2023	Initial policy release	SBK

References:
HIPAA 164.308(a)(1)(ii)(B), 164.312(a)(2)(iv)
PCI 12.3.5
HITRUST CSF v9.3, 02.a, 06.e, 07.c